Cisco ASA5555-X L2L ipsec goes down.

Jon Are Endrerud · ‎11-05-2013

Hey

I have a huge problem with a remote site. We have a L2L tunnel going from a ASA5555-X to a Palo Alto (also tried Fortigate) on a remote site.

The tunnel works for a while, can be 12 hours, 24 hours or 48 hours approx, but then it goes down. Sometimes it helps to clear crypto on the ASA or the remote Palo Alto, sometimes you have to change something in the config (phase1 or 2) before it comes up again.

The main firwall on the remote site is a Palo Alto, we tried a Fortigate and it worked for 4 weeks without a problem, but then it dropped, they have now switched back to the PA and the problems continue.

The Cisco is standing in this mode when the problem occurs:

2 IKE Peer: 82.146.80.3

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Error on the ASA:

Attached is also a log from the Palo Alto when the problem occurs. (PA.log)

Can anyone help me ?

Thank you.

Please rate as helpful, if that would be the case. Thanx

Jouni Forss · ‎11-05-2013

Hi,

Isnt the log you attached from the ASA actually and not the Palo Alto?

I am not sure if I can be of any help though.

Generally the MM_WAIT_MSG2 state simply means that this host is waiting for a reply from the remote peer and if it stays in this then it means the remote device simply doesnt reply.

I have only expirienced this kind of problem with one of our many L2L VPN where our device is an Cisco ASR1001. The L2L VPN will keep on working for a long period of time. Then at some point where rekey is done the connection just breaks.

With a different "show" command I can see a rekey is in process BUT also it seems that the device is at the same time trying to initiate a new L2L VPN connection completely. And this is something I think I should not be seeing. Your above ASA log picture seems to hint to a same sort of situation. It states something about existing connection.

The log messages you posted/attached (which to me seems that they are from the ASA) suggests that the L2L VPN connections lifetime value is pretty low (P2 3060seconds)

I wonder if it would help at all for you to configure longer lifetime values or just change them for this L2L VPN connection alone and see if the problems are as frequent as they have been?

Otherwise I would suggest opening a TAC case unless someone here could answer your question.

I fear that even though I know how to configure these connections and do some basic troubleshooting I simply dont have the "know how" to interpret the debug/log messages.

- Jouni

Jon Are Endrerud · ‎11-05-2013

Sir you are right, the log is from my Cisco box. I have lost the logs from the P.A. I agree with your statements and thoughts. We have tried diffrent lifetimes, and it seems like a rekey goes wrong. I have expirienced alot of problems with the diffrent ASA firmwares on the 5555-X, both NAT and VPN issues. TAC is probably the way to go.

Please rate as helpful, if that would be the case. Thanx

Jon Are Endrerud · ‎11-08-2013

I have a TAC on this now but havent heard anything. Attaching a log to this post, great if you could take a look. The problem has changed somehow. Phase 1 seems to never go down, but it renegotiates Phase 2 for 4-40 minutes before it comes up.

Please rate as helpful, if that would be the case. Thanx

davrojas · ‎11-10-2013

Hi Jon,

Not sure if you have already solved this with TAC, but have you checked CPU and Memory usage at the time the issue occurs?

-David

Jon Are Endrerud · ‎11-11-2013

CPU or mem is not the case on any of the units.

Please rate as helpful, if that would be the case. Thanx